Why agencies don't have to upgrade to a new crypto hash

The National Institute of Standards and Technology has selected the Keccak algorithm as the winner of a five-year competition to create a new Secure Hash Algorithm standard.

Keccak (pronounced "catch-ack") is a little stronger and a little faster than the current SHA-2 standard algorithms and will become a candidate for the new federal SHA-3 standard. But NIST scientists say it is not intended as a replacement for SHA-2 -- at least not for the foreseeable future -- and they do not want to derail agencies’ use of the current standard.

NIST is in the process of moving away from the old SHA-1 hash algorithm, which is reaching its end-of-life, and requiring the use of SHA-2 in its place. Agencies should not wait to make that upgrade, thinking to leap-frogging to SHA-3, scientists warn.

"In current protocols there is not going to be any major push to move to SHA-3," said Tim Polk, manager of NIST’s Computer Security Division’s Cryptographic Technology Group. "SHA-2 is a very good algorithm. For existing protocols in use today, SHA-2 is the way to go."

A hash algorithm is a cryptographic tool that can create a digest, or string of bits of a specific length, for a digital document. The digest is unique to the message and can be used to verify that the contents of a digital document have not been altered. If a message is changed by a third party, the before and after digests produced by the hash algorithm no longer will match. Hash algorithms also can be used to create digital signatures.

Although NIST has a lot of faith in SHA-2, today, "when we started the competition, we had less confidence in SHA-2," Polk said.

Back in 2007 cracks had begun to appear in the algorithms that collectively make up SHA-2 and it was decided to begin a competition for a new, stronger algorithm. But in the last five years the weaknesses did not develop as feared, and SHA-2 remains stronger today than expected.

"We know more now," Polk said. And that is one of the advantages of running a public competition for a new secure algorithm. "We moved the state of the art forward in this area."

The resilience of SHA-2 was not the only surprise. In NIST’s previous cryptographic competition, for the Advanced Encryption Standard, the winning algorithm was considerably stronger and faster than the predecessor 3DES. "We got everything we could have wanted," Polk said.

But advances were not so great in the SHA-3 competition. "What was surprising is that we weren’t getting a big speed-up in performance across the board," he said. "We couldn’t have predicted that at the time we started the competition."

It is somewhat faster, however, and somewhat more secure. Perhaps most important, Keccak is not vulnerable to the same types of attacks that SHA-2 might be vulnerable to, so if SHA-2 fails, SHA-3 would be available as a back-up. Other parts of the NIST crypto toolkit have multiple options, such as AES and 3DES for encrypting data. With the retirement of SHA-1, which is not approved for creating digital signatures after January 2014, there was no back-up Secure Hash Algorithm. SHA-3 would provide that insurance.

Keccak was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. It was one of 64 algorithms submitted in the competition.

NIST will draft a new Federal Information Processing Standard proposing Keccak as SHA-3, which will be published for public review. After comments are addressed, the final proposed FIPS will go to the secretary of Commerce for approval as a federal standard. Polk said he hopes the process will be complete within the next 12 months.